nanog mailing list archives
Re: Detecting Attacks
From: Valdis.Kletnieks () vt edu
Date: Sun, 12 Jun 2016 12:04:12 -0400
On Fri, 10 Jun 2016 22:22:31 -0700, subashini hariharan said:
The aim is to detect DoS/DDoS attacks using the application. I am going to use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log Analytics).
Bad approach. At that point, not only is the application being DDoS'ed, but now your logging system may be overwhelmed as well. And a favorite attack method is to throw a DDoS at one application (your http server, for instance), and while you're drowning in logfiles, slip in an exploit for something else (you *did* patch that tftpd server, right?) Also, the vast majority of DDoS attempts are just fill-the-pipe attacks, which often don't even bother attacking an application, just an IP address. This leverages the fact that there's a lot of routers that can switch average sized packets at line speed, but not minimum sized packets. So the link falls over faster if it's getting pounded with ICMP Echo Request packets or TCP SYN packets than if it's getting 800-byte http requests.
Attachment:
_bin
Description:
Current thread:
- Detecting Attacks subashini hariharan (Jun 11)
- Re: Detecting Attacks Suresh Ramasubramanian (Jun 11)
- Re: Detecting Attacks Otto Monnig (Jun 11)
- Re: Detecting Attacks Valdis . Kletnieks (Jun 12)
- Re: Detecting Attacks Pavel Odintsov (Jun 12)
- <Possible follow-ups>
- Detecting Attacks subashini hariharan (Jun 11)
- Re: Detecting Attacks joel jaeggli (Jun 12)
- Re: Detecting Attacks alvin nanog (Jun 11)